web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Duplicating DLP's
Power Apps
Unanswered

Duplicating DLP's

(0) ShareShare
ReportReport
Posted on by grantreid 186

I wanted to check that  I'm approaching this the right way and haven't missed something.... 

 

We have a default DLP which is applied to the default and newly created environments. However, whenever someone wants a custom connector in their prod environment, a new DLP has to be created to allow it. This requires all 50ish connectors from the default DLP to be added to this new DLP, along with the custom connector. 

I find it frustrating the DLP's are exclusive not inclusive.  Now... every time we make a change to the default DLP, whenever a new Microsoft connector is added or changed, we have to update every other DLP!!!! I find this counter productive.

 

1. Is there a way to copy DLP's?   I'm currently sitting here with split screens, with the new and old side by side manually mirroring the business connectors.   I'm pondering creating a powershell script... 

 

2. Am I correct with the "exclusive" aspect? What's the logic with this?  Shouldn't it be that you have a base level DLP which applies across the board and in Environment X, you can also use connector Y granted by an additional DLP?  This would be a more common scenario than needing to reduce/restrict the default DLP connectors.

Categories:
Governance & administering
I have the same question (0)
  • v-bofeng-msft Profile Picture
    v-bofeng-msft on at

    Hi @grantreid :

    About Q1:

    I'm not sure what copy DLP means. If you want to apply the same DLP to multiple environments, then this can be done.Just set the scop of the specified DLP, and then configure it:

    1.JPG

    About Q2:

    If there are multiple DLPs in an environment, these DLPs need to be satisfied at the same time.

    I think this link will help you a lot:

    Combined effect of multiple DLP policies 

    Best Regards,

    Bof

  • grantreid Profile Picture
    grantreid 186 on at

    Hi Bof

     

    No problems adding or excluding DLP's across multiple environments. Where I getting stuck is if someone wants an additional connector which is allowed only in their environment, I can't add it to the standard DLP which is applied across multiple.  So, a new DLP is required. 

     

    please correct me if I'm wrong:

    If the default policy A (applied across multiple environments) has the 50 (roughly)  family of Microsoft standard connectors set as "Business"  and I create policy B with 1 custom connector in "Business", the result is they negate each other and 0 connectors are in the Business category. 

     

    If I want all 50 connectors from policy A to be allowed to work with the 1 custom connector, all 50 Microsoft connectors have to be added to policy B? 

  • v-bofeng-msft Profile Picture
    v-bofeng-msft on at

    Hi @grantreid :

    I think I roughly understand what you mean. You want to increase the number of connecotors that can be used simultaneously by adding DLPs. Am I right?

     

    If so,the answer is 'No'.In other words, your app must satisfy the rules of DLPA, B, C ...at the same time.

    For example:

     

    DLPA

    Bussiness:A,B

    Non Bussiness:C,D

     

    DLPB

    Bussiness:A

    Non Bussiness:,B,C,D

     

    Then A and B cannot appear in the same app,because it violates the rules of DLPB.

     

    However,there is another situation where DLPA and DLPB are opposite.

     

    DLPA

    Bussiness:A,B

    Non Bussiness:C,D

     

    DLPB

    Bussiness:C,D

    Non Bussiness:A,B

     

    Then, since A and B do not violate any DLP rules, they can appear in the same application.

     

    So if you want to use 51 connectors, I suggest you remove the original DLP and then add a new DLP. Or directly modify the original DLP.

     

    Best Regards,

    Bof

     

     

     

     

     

  • grantreid Profile Picture
    grantreid 186 on at

    Yes.. this is exactly my point, you've finally reached the same conclusion.... you need to add a new DLP with all of the same connectors as the default. We're not going to modify the original DLP as we don't want the majority of the users accessing this additional connector. 

    Every time someone wants something slightly different, I have to create a new DLP, which means duplicating all of the default connectors.  As far as I'm aware, this is a manual process of clicking "add to business" for 50ish connectors.  This is time consuming.  Also... every time Microsoft changes one of their family of connectors, retires something and adds a new one, I have to update all of the other customized DLPs.  For a platform pushing automation, this is mental.  So back to the original questions: 

    1. There should be a way to copy a DLP. 

     

    2. DLP's should be inclusive, not exclusive.  There should be a default DLP applied across all environments (maybe some are excluded if required) and if you want to customize something, you can add a second DLP.  This would be the same concept as standard Security Groups. 

  • v-bofeng-msft Profile Picture
    v-bofeng-msft on at

    Hi @grantreid :

    I am afraid that your request cannot be realized at the moment. If you need this feature, I suggest you post your ideas to the idea form.

    Best Regards,

    Bof

  • LarsHem Profile Picture
    LarsHem 74 on at

    @grantreid did you find a solution for this? We are struggling with the same and started to look into the "power platform for admins" connector to see if we could use some logic there.

  • grantreid Profile Picture
    grantreid 186 on at

    I set up some powershell scripts to export a list of connectors as the 'default' DLP.   If someone wants an environment with something different, can just build a new DLP with powershell from this list and add the additionals. 

  • LarsHem Profile Picture
    LarsHem 74 on at

    Update from our side.

    We decided to create a flow to copy all "settings" from our Default policy, create a new dlp and add selected environments to the new DLP and remove the selected environment from the Default policy.

    Selecting environment, giving the new policy a name and executing the flow is done in a new screen we added to the CoE DLP Editor.

    Any changes to the DLP (primarly adding new connectors to Business) must be done manually in DLP Editor in Coe after the new DLP is created.

  • Rc86 Profile Picture
    Rc86 14 on at

    any chance you feel like sharing?

     

    i've been trying to do this and can create the new dlp and apply all business connectors but not modify non-business and blocked connectors

     

  • Verified answer
    Rc86 Profile Picture
    Rc86 14 on at

    In the interest of anyone else trying to figure this out i finally got something that works. It creates a new environment and copies a DLP of your choice to that env. The new DLP sets the default connector group to blocked also.

     

    Bare in mind i haven't ever worked in Powershell, or with the PowerAppsAdmin module, before. I make no assertions around the following and you should test them yourself before using them.

     

    2 files are attached:

    1. 'function Add-ConnectorToDataGroup_v2'.txt' - run this first to create the requisite functions (you may have to run the commented install, import & add commands in 'NewEnvAndDlp_v1.txt' first).
    2. 'NewEnvAndDlp_v1.txt' - run this, it will prompt you for new environment name & description, new DLP name and the name of the DLP you want to copy [hint: this performs a search of type *query* on existing policies, my standard DLP is called 'Restricted(Default) - DLP' so i can simply enter 'default' ] .  Make sure that the return codes you get are of the '200' type (as shown in attached image 'Expected.png'). 

     

     

     

     

     

     

    Expected.PNG
    NewEnvAndDLP.zip

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 796 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 327 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 268

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans